Arbitrary Code Execution

The Login Activity com.insecureshop.LoginActivity contains the following code. As per the code, the android application obtains all the package names from the android device and creates package context for each package name. If there is any app whose package begins with com.insecureshopapp, the app tries to find com.insecureshopapp.MainInterface and call its getInstance method.

for (android.content.pm.PackageInfo info : getPackageManager().getInstalledPackages(0)) {
            java.lang.String packageName = info.packageName;
            kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(packageName, "packageName");
            if (kotlin.text.StringsKt.startsWith$default(packageName, "com.insecureshopapp", false, 2, (java.lang.Object) null)) {
                try {
                    android.content.Context packageContext = createPackageContext(packageName, 3);
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(packageContext, "packageContext");
                    java.lang.Object value = packageContext.getClassLoader().loadClass("com.insecureshopapp.MainInterface").getMethod("getInstance", new java.lang.Class[]{android.content.Context.class}).invoke((java.lang.Object) null, new java.lang.Object[]{this});
                    kotlin.jvm.internal.Intrinsics.checkExpressionValueIsNotNull(value, "packageContext.classLoad…€¦      .invoke(null, this)");
                    android.util.Log.d("object_value", value.toString());
                } catch (java.lang.Exception e) {
                    throw new java.lang.RuntimeException(e);
                }
            }
        }

An attacker can create their own app with a package name that begins with the right prefix, create the specified class with this method, and include in that method code that will then be executed in the context of the victim app.

Exploiting this may be tricky and not really straightforward. Go through the code in LoginActivity well and identify at what point the code execution will take place.

References:

PreviousWeak Host ValidationNextIntent Redirection (Access to Protected Components)

Last updated